suricata
detect-dns-query.c
Go to the documentation of this file.
1 /* Copyright (C) 2013-2023 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup dnslayer
20  *
21  * @{
22  */
23 
24 
25 /**
26  * \file
27  *
28  * \author Victor Julien <victor@inliniac.net>
29  */
30 
31 #include "suricata-common.h"
32 #include "threads.h"
33 #include "decode.h"
34 #include "detect.h"
35 
36 #include "detect-parse.h"
37 #include "detect-engine.h"
38 #include "detect-engine-build.h"
39 #include "detect-engine-mpm.h"
40 #include "detect-engine-prefilter.h"
41 #include "detect-engine-content-inspection.h"
42 #include "detect-content.h"
43 #include "detect-pcre.h"
44 
45 #include "flow.h"
46 #include "flow-util.h"
47 #include "flow-var.h"
48 
49 #include "util-debug.h"
50 #include "util-spm.h"
51 #include "util-print.h"
52 
53 #include "stream-tcp.h"
54 
55 #include "app-layer.h"
56 #include "app-layer-parser.h"
57 #include "detect-dns-query.h"
58 
59 #include "util-profiling.h"
60 #include "rust.h"
61 
62 static int DetectDnsQuerySetup(DetectEngineCtx *, Signature *, const char *);
63 static int g_dns_query_buffer_id = 0;
64 
65 static InspectionBuffer *DnsQueryGetData(DetectEngineThreadCtx *det_ctx,
66  const DetectEngineTransforms *transforms, Flow *f, const uint8_t flags, void *txv,
67  int list_id, uint32_t local_id)
68 {
69  SCEnter();
70 
71  InspectionBuffer *buffer = InspectionBufferMultipleForListGet(det_ctx, list_id, local_id);
72  if (buffer == NULL)
73  return NULL;
74  if (buffer->initialized)
75  return buffer;
76 
77  const uint8_t *data;
78  uint32_t data_len;
79  if (SCDnsTxGetQueryName(txv, false, local_id, &data, &data_len) == 0) {
80  InspectionBufferSetupMultiEmpty(buffer);
81  return NULL;
82  }
83  InspectionBufferSetupMulti(buffer, transforms, data, data_len);
84  buffer->flags = DETECT_CI_FLAGS_SINGLE;
85 
86  SCReturnPtr(buffer, "InspectionBuffer");
87 }
88 
89 /**
90  * \brief Registration function for keyword: dns_query
91  */
92 void DetectDnsQueryRegister (void)
93 {
94  sigmatch_table[DETECT_DNS_QUERY].name = "dns.query";
95  sigmatch_table[DETECT_DNS_QUERY].alias = "dns_query";
96  sigmatch_table[DETECT_DNS_QUERY].desc = "sticky buffer to match DNS query-buffer";
97  sigmatch_table[DETECT_DNS_QUERY].url = "/rules/dns-keywords.html#dns-query";
98  sigmatch_table[DETECT_DNS_QUERY].Setup = DetectDnsQuerySetup;
99  sigmatch_table[DETECT_DNS_QUERY].flags |= SIGMATCH_NOOPT;
100  sigmatch_table[DETECT_DNS_QUERY].flags |= SIGMATCH_INFO_STICKY_BUFFER;
101 
102  DetectAppLayerMultiRegister(
103  "dns_query", ALPROTO_DNS, SIG_FLAG_TOSERVER, 1, DnsQueryGetData, 2, 1);
104 
105  DetectBufferTypeSetDescriptionByName("dns_query",
106  "dns request query");
107  DetectBufferTypeSupportsMultiInstance("dns_query");
108 
109  g_dns_query_buffer_id = DetectBufferTypeGetByName("dns_query");
110 
111  /* register these generic engines from here for now */
112  DetectAppLayerInspectEngineRegister(
113  "dns_request", ALPROTO_DNS, SIG_FLAG_TOSERVER, 1, DetectEngineInspectGenericList, NULL);
114  DetectAppLayerInspectEngineRegister("dns_response", ALPROTO_DNS, SIG_FLAG_TOCLIENT, 1,
115  DetectEngineInspectGenericList, NULL);
116 
117  DetectBufferTypeSetDescriptionByName("dns_request",
118  "dns requests");
119  DetectBufferTypeSetDescriptionByName("dns_response", "dns responses");
120 }
121 
122 
123 /**
124  * \brief setup the dns_query sticky buffer keyword used in the rule
125  *
126  * \param de_ctx Pointer to the Detection Engine Context
127  * \param s Pointer to the Signature to which the current keyword belongs
128  * \param str Should hold an empty string always
129  *
130  * \retval 0 On success
131  * \retval -1 On failure
132  */
133 
134 static int DetectDnsQuerySetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
135 {
136  if (DetectBufferSetActiveList(de_ctx, s, g_dns_query_buffer_id) < 0)
137  return -1;
138  if (DetectSignatureSetAppProto(s, ALPROTO_DNS) < 0)
139  return -1;
140  return 0;
141 }
SigTableElmt_::url
const char * url
Definition: detect.h:1323
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1782
detect-content.h
detect-engine.h
SIGMATCH_INFO_STICKY_BUFFER
#define SIGMATCH_INFO_STICKY_BUFFER
Definition: detect.h:1528
SigTableElmt_::desc
const char * desc
Definition: detect.h:1322
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:153
flow-util.h
ALPROTO_DNS
@ ALPROTO_DNS
Definition: app-layer-protos.h:47
SigTableElmt_::name
const char * name
Definition: detect.h:1320
InspectionBuffer::initialized
bool initialized
Definition: detect.h:379
stream-tcp.h
DetectEngineTransforms
Definition: detect.h:410
DetectBufferSetActiveList
int DetectBufferSetActiveList(DetectEngineCtx *de_ctx, Signature *s, const int list)
Definition: detect-engine.c:1377
InspectionBuffer
Definition: detect.h:375
threads.h
Flow_
Flow data structure.
Definition: flow.h:354
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1314
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:855
DetectBufferTypeSupportsMultiInstance
void DetectBufferTypeSupportsMultiInstance(const char *name)
Definition: detect-engine.c:1064
rust.h
InspectionBuffer::flags
uint8_t flags
Definition: detect.h:380
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:270
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1305
detect-pcre.h
detect-engine-prefilter.h
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1114
DetectAppLayerMultiRegister
void DetectAppLayerMultiRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectionMultiBufferGetDataPtr GetData, int priority, int tx_min_progress)
Definition: detect-engine.c:2245
detect-dns-query.h
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:269
InspectionBufferSetupMultiEmpty
void InspectionBufferSetupMultiEmpty(InspectionBuffer *buffer)
setup the buffer empty
Definition: detect-engine.c:1609
decode.h
util-debug.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
DetectEngineThreadCtx_
Definition: detect.h:1110
util-print.h
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect-engine-mpm.h
detect.h
app-layer-parser.h
util-profiling.h
detect-engine-build.h
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:287
detect-engine-content-inspection.h
DETECT_CI_FLAGS_SINGLE
#define DETECT_CI_FLAGS_SINGLE
Definition: detect-engine-content-inspection.h:49
flags
uint8_t flags
Definition: decode-gre.h:0
SigTableElmt_::alias
const char * alias
Definition: detect.h:1321
suricata-common.h
util-spm.h
InspectionBufferSetupMulti
void InspectionBufferSetupMulti(InspectionBuffer *buffer, const DetectEngineTransforms *transforms, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:1622
DetectEngineInspectGenericList
uint8_t DetectEngineInspectGenericList(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:2152
DetectDnsQueryRegister
void DetectDnsQueryRegister(void)
Registration function for keyword: dns_query.
Definition: detect-dns-query.c:92
str
#define str(s)
Definition: suricata-common.h:300
detect-parse.h
Signature_
Signature container.
Definition: detect.h:614
DETECT_DNS_QUERY
@ DETECT_DNS_QUERY
Definition: detect-engine-register.h:245
InspectionBufferMultipleForListGet
InspectionBuffer * InspectionBufferMultipleForListGet(DetectEngineThreadCtx *det_ctx, const int list_id, const uint32_t local_id)
for a InspectionBufferMultipleForList get a InspectionBuffer
Definition: detect-engine.c:1541
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1504
DetectAppLayerInspectEngineRegister
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback, InspectionBufferGetDataPtr GetData)
Registers an app inspection engine.
Definition: detect-engine.c:245
DetectBufferTypeSetDescriptionByName
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
Definition: detect-engine.c:1211
flow.h
flow-var.h
app-layer.h